Update fog-aws to v3.6.7

This adds support for retrieving credentials via the instance metadata server v2 (IMDSv2). Closes https://gitlab.com/gitlab-org/gitlab/-/issues/287816 List of changes: https://github.com/fog/fog-aws/blob/master/CHANGELOG.md Diff: https://github.com/fog/fog-aws/compare/v3.5.2..v3.6.7

Update fog-aws to v3.6.7
This adds support for retrieving credentials via the instance metadata server v2 (IMDSv2). Closes https://gitlab.com/gitlab-org/gitlab/-/issues/287816 List of changes: https://github.com/fog/fog-aws/blob/master/CHANGELOG.md Diff: https://github.com/fog/fog-aws/compare/v3.5.2..v3.6.7
12100876 · Stan Hu · 078ebbe1 · 12100876 · 12100876 · 12100876
Commit 12100876 authored Nov 24, 2020 by Stan Hu
5 changed files
--- a/Gemfile
+++ b/Gemfile
@@ -115,7 +115,7 @@ gem 'carrierwave', '~> 1.3'
 gem 'mini_magick', '~> 4.10.1'

 # for backups
-gem 'fog-aws', '~> 3.5'
+gem 'fog-aws', '~> 3.6'
 # Locked until fog-google resolves https://github.com/fog/fog-google/issues/421.
 # Also see config/initializers/fog_core_patch.rb.
 gem 'fog-core', '= 2.1.0'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -361,7 +361,7 @@ GEM
      fog-json
      ipaddress (~> 0.8)
      xml-simple (~> 1.1)
-    fog-aws (3.5.2)
+    fog-aws (3.6.7)
      fog-core (~> 2.1)
      fog-json (~> 1.1)
      fog-xml (~> 0.1)
@@ -1332,7 +1332,7 @@ DEPENDENCIES
  flipper-active_support_cache_store (~> 0.17.1)
  flowdock (~> 0.7)
  fog-aliyun (~> 0.3)
-  fog-aws (~> 3.5)
+  fog-aws (~> 3.6)
  fog-core (= 2.1.0)
  fog-google (~> 1.11)
  fog-local (~> 0.6)

--- a/changelogs/unreleased/sh-update-fog-aws.yml
+++ b/changelogs/unreleased/sh-update-fog-aws.yml
+---
+title: Update fog-aws to v3.6.7
+merge_request: 48519
+author:
+type: fixed
--- a/spec/lib/object_storage/direct_upload_spec.rb
+++ b/spec/lib/object_storage/direct_upload_spec.rb
@@ -292,6 +292,7 @@ RSpec.describe ObjectStorage::DirectUpload do

        context 'when IAM profile is true' do
          let(:use_iam_profile) { true }
+          let(:iam_credentials_v2_url) { "http://169.254.169.254/latest/api/token" }
          let(:iam_credentials_url) { "http://169.254.169.254/latest/meta-data/iam/security-credentials/" }
          let(:iam_credentials) do
            {
@@ -303,6 +304,9 @@ RSpec.describe ObjectStorage::DirectUpload do
          end

          before do
+            # If IMDSv2 is disabled, we should still fall back to IMDSv1
+            stub_request(:put, iam_credentials_v2_url)
+              .to_return(status: 404)
            stub_request(:get, iam_credentials_url)
              .to_return(status: 200, body: "somerole", headers: {})
            stub_request(:get, "#{iam_credentials_url}somerole")
@@ -310,6 +314,21 @@ RSpec.describe ObjectStorage::DirectUpload do
          end

          it_behaves_like 'a valid S3 upload without multipart data'
+
+          context 'when IMSDv2 is available' do
+            let(:iam_token) { 'mytoken' }
+
+            before do
+              stub_request(:put, iam_credentials_v2_url)
+                .to_return(status: 200, body: iam_token)
+              stub_request(:get, iam_credentials_url).with(headers: { "X-aws-ec2-metadata-token" => iam_token })
+                .to_return(status: 200, body: "somerole", headers: {})
+              stub_request(:get, "#{iam_credentials_url}somerole").with(headers: { "X-aws-ec2-metadata-token" => iam_token })
+                .to_return(status: 200, body: iam_credentials.to_json, headers: {})
+            end
+
+            it_behaves_like 'a valid S3 upload without multipart data'
+          end
        end
      end


--- a/spec/uploaders/object_storage_spec.rb
+++ b/spec/uploaders/object_storage_spec.rb
@@ -515,7 +515,7 @@ RSpec.describe ObjectStorage do
        end

        context 'uses AWS' do
-          let(:storage_url) { "https://uploads.s3-eu-central-1.amazonaws.com/" }
+          let(:storage_url) { "https://uploads.s3.eu-central-1.amazonaws.com/" }
          let(:credentials) do
            {
              provider: "AWS",